GLBA is a requirement for financial institutions and their service providers who are permitted access to their customer information through the provision of services directly to the institution. Any vendor a financial institution permits to have access to nonpublic personal information would fall under the scope of GLBA requirements. Per 16 C.F.R. 313.3(n)
Nonpublic personal information means:
Personally identifiable financial information (see 16 C.F.R. 313.3(o) for definition and examples); and Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.
Nonpublic personal information does not include:
Publicly available information, except as included on a list described in paragraph (n)(1)(ii) of this section; or Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information that is not publicly available.
https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-313
The questions then I would ask internally to your product owners would be, will the service provider in question be permitted access to nonpublic personal information as defined by the linked section.
It would be great to hear from any FI's who would like to share any guidance used to assist in defining and evaluating service providers who fall under GLBA requirements.
Original Message:
Sent: 08-31-2023 01:49 PM
From: Anonymous Member
Subject: GLBA & SOC 1 Report
This message was posted by a user wishing to remain anonymous
Good morning/afternoon,
I apologize in advance if these topics have already been addressed in previous posts/threads.
I'm trying to get a better understanding in regards to how our organization can identify if a vendor partner falls under the GLBA category. GLBA states that it is a "...law that governs the collection, use, and disclosure of nonpublic personal information by financial institutions." Does this mean our vendor partners who are considered financial institutions?
Basically, what questions or determination does your organization use to identify if a vendor should be considered a GLBA vendor?
Secondly, we've started to identify if our current and future vendor partners need to provide SOC 1 (preferably Type II) reports. Does anyone have a general set of questions to help identify if vendor partners fall in this category?
Any advice/assistance would be greatly appreciated. Thank you!